Challenge, Easy,  on  Containers

Docker 101: Authenticate to Private Container Registries

Ivan Velichko
by  Ivan Velichko

Most real-world container registries are private - you can't pull from them or push to them without authenticating first. Even Docker Hub asks for credentials as soon as you start pushing your own images.

In this challenge, you'll work with two different private registries and practice authenticating to each one with the right credentials using docker login.

The setup:

  • dev-01 is your workstation with Docker installed.
  • ci.internal:5555 is your team's internal CI registry.
  • registry.iximiuz.com is a private registry your team uses to host images.

Each registry has its own credentials:

  • ci.internal:5555: username: developer, password: ci-pass-123
  • registry.iximiuz.com: username: iximiuzlabs, password: rules!

Pull a private image from registry.iximiuz.com

A build of acme/widget has been pre-published to registry.iximiuz.com/acme/widget:v1.2.0, but the registry won't serve it to anonymous users. Authenticate with registry.iximiuz.com and pull the image to dev-01's local Docker daemon.

Hint 1

Try docker pull registry.iximiuz.com/acme/widget:v1.2.0 first - the error message should hint at what's missing.

Hint 2

The docker login command authenticates with a registry and stores the credentials locally so that subsequent pulls and pushes can reuse them:

docker login <registry-domain>

If you don't pass a registry, Docker defaults to Docker Hub (docker.io) - make sure to specify the registry domain you want to authenticate against (registry.iximiuz.com). After login, docker pull from the same registry should work.

Login to ci.internal:5555

ci.internal:5555 is a separate, internal registry your team uses for CI artifacts. It accepts a different username and password than registry.iximiuz.com, so you need a separate docker login for it.

Push the image to ci.internal:5555

Now that the local Docker daemon is authenticated against the CI registry, re-tag the previously pulled image and push it to ci.internal:5555/acme/widget:v1.2.0.

Hint 3

The recipe is the standard docker tag + docker push:

docker tag <existing-tag> <new-tag>
docker push <new-tag>

The push uses the credentials saved by the previous docker login automatically, matching the right credentials for the target registry (the domain part of the image reference).

Container image name format visualized: registry domain, repository path, tag, and digest.

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge docker-login-to-private-registries

This will create a local copy of the challenge content in a directory named docker-login-to-private-registries. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge docker-login-to-private-registries

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge